b'            OFFICE OF\n     THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n     FISCAL YEAR 2011 EVALUATION OF\n  THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION\n    SECURITY MANAGEMENT ACT OF 2002\n\n\n      November 2011   A-14-11-01134\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xef\x82\xa6 Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xef\x82\xa6   Promote economy, effectiveness, and efficiency within the agency.\n   \xef\x82\xa6   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xef\x82\xa6   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xef\x82\xa6   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n   To ensure objectivity, the IG Act empowers the IG with:\n\n   \xef\x82\xa6 Independence to determine what reviews to perform.\n   \xef\x82\xa6 Access to all information necessary for the reviews.\n   \xef\x82\xa6 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                                SOCIAL SECURITY\nMEMORANDUM\n\nDate:      November 14, 2011                                                            Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Fiscal Year 2011 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\n           Federal Information Security Management Act of 2002 (A-14-11-01134)\n\n\n           OBJECTIVE\n           Our objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\n           overall security program and practices complied with the requirements of the Federal\n           Information Security Management Act of 2002 (FISMA) for Fiscal Year (FY) 2011. 1\n\n           BACKGROUND\n           FISMA provides the framework for securing the Government\xe2\x80\x99s information and\n           information systems. All agencies must implement the requirements of FISMA and\n           report annually to the Office of Management and Budget (OMB), Department of\n           Homeland Security (DHS), and Congress on the adequacy and effectiveness of their\n           security programs. FISMA requires that each agency develop, document, and\n           implement an agency-wide information security program. 2 OMB and DHS use\n           information reported pursuant to FISMA to evaluate agency-specific and Government-\n           wide security performance and develop the annual security report to Congress.\n\n           In July 2010, DHS began exercising primary responsibility within the executive branch\n           for the operational aspects of Federal cybersecurity with respect to the Federal\n           information systems (IS) that fall within FISMA under 44 U.S.C. \xc2\xa7 3543. 3 DHS is\n           subject to general OMB oversight in accordance with 44 U.S.C. \xc2\xa7 3543(a) and is subject\n           to the limitations and requirements that apply to OMB under 44 U.S.C. \xc2\xa7 3543(b)-(c). 4\n\n           1\n               Pub. L. No. 107-347, Title III, Section 301.\n           2\n               Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(b), 44 U.S.C. \xc2\xa7 3544(b).\n           3\n            OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive\n           Office of the President and the Department of Homeland Security, July 6, 2010.\n           4\n               Id.\n\x0cPage 2 - The Commissioner\n\n\nOn September 14, 2011, OMB issued its FY 2011 FISMA reporting guidance, 5 which\nincorporated DHS\xe2\x80\x99 August 24, 2011 Federal Information Security Memorandum (FISM)\n11-02, FY 2011 Reporting Instructions for the Federal Information Security Management\nAct and Agency Privacy Management. FISM 11-02 provided FY 2011 FISMA reporting\ninstructions to Federal Chief Information Officers, Inspectors General (IG), and Senior\nAgency Officials for Privacy. DHS continues to require that Chief Information Officers,\nIGs, and Senior Agency Officials for Privacy use a Web platform, CyberScope, to\nsubmit FISMA reports and data.\n\nWe evaluated SSA\xe2\x80\x99s information security program to determine whether the Agency\nestablished and maintained key information security programs and practices as\nidentified by DHS. 6 DHS\xe2\x80\x99 11 key FISMA programs and metrics and our responses are\nin Appendix B. Also, see Appendix C for additional background.\n\nSCOPE AND METHODOLOGY\nFISMA directs each agency\xe2\x80\x99s IG or an independent external auditor, as determined by\nthe agency\xe2\x80\x99s IG, to perform an annual, independent evaluation of the effectiveness of\nthe agency\xe2\x80\x99s information security program and practices. 7 SSA\xe2\x80\x99s Office of the Inspector\nGeneral (OIG) contracted with Grant Thornton LLP (GT) to audit SSA\xe2\x80\x99s FY 2011\nfinancial statements.8 Because of the extensive internal control system review that is\ncompleted as part of that work, our FISMA requirements were incorporated into GT\xe2\x80\x99s\nfinancial statement information technology-related work. This evaluation included the\nFederal Information System Controls Audit Manual level reviews of SSA\xe2\x80\x99s financial-\nrelated information systems. GT also performed an \xe2\x80\x9cagreed-upon procedures\xe2\x80\x9d\nengagement using FISMA, OMB, DHS, National Institute of Standards and Technology\n(NIST) guidance, Federal Information System Controls Audit Manual, and other relevant\nsecurity laws and regulations as a framework to provide information and documentation\nfor the required OIG review of SSA\xe2\x80\x99s information security program, practices, and\ninformation systems.\n\nThis report informs Congress and the public about SSA\xe2\x80\x99s security performance and\nfulfills the OMB requirement under FISMA to submit an annual report to Congress. It\nprovides an assessment of SSA\xe2\x80\x99s information security strengths and weaknesses and a\nplan of action to improve performance. See Appendix D for more details on our scope\nand methodology.\n\n\n5\n OMB Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, September 14, 2011.\n6\n DHS, FY 2011 Inspector General Federal Information Security Management Act Reporting, Version 1.0,\nJune 1, 2011.\n7\n    Pub. L. No. 107-347, Title III, Section 301, 44 U.S.C. \xc2\xa7 3545(b)(1).\n8\n OIG Contract Number GS-23F-8196H, December 3, 2009. The FY 2011 option was exercised in\nDecember 2010.\n\x0cPage 3 - The Commissioner\n\n\nSUMMARY OF RESULTS\nOIG and GT\xe2\x80\x99s work determined that SSA\xe2\x80\x99s security programs and practices were\ngenerally consistent with FISMA requirements for FY 2011; 9 however, there were some\nareas that needed improvement. SSA continues to work toward maintaining a secure\nenvironment for its information and systems. For example, SSA continues to have\ngenerally consistent processes in a number of areas, including risk management,\nvulnerability remediation, security training, remote access, continuous monitoring (CM),\nsecurity capital planning, and account and identity management. Our responses to the\nFY 2011 DHS IG metrics are in Appendix B. We used these metrics to evaluate SSA\xe2\x80\x99s\ncompliance with FISMA for FY 2011.\n\nAlthough the Agency continues to protect its information and systems, the FY 2011\nfinancial statement audit again identified a significant deficiency for financial statement\nreporting. It should be noted that a financial statement significant deficiency in internal\ncontrol10 does not necessarily rise to the level of a significant deficiency as defined in\nFISMA. 11 The FY 2011 financial statement audit significant deficiency does not rise to\nthe level of a significant deficiency under FISMA because of other compensating\ncontrols the Agency has in place, such as intrusion detection systems, guards, closed\ncircuit televisions, automated systems checks, configuration management, and firewalls.\n\n\n\n\n9\n    See Appendix B.\n10\n  The definition of a significant deficiency for financial statement internal control is provided by the\nStatement on Auditing Standards Number 115, Communicating Internal Control-Related Matters\nIdentified in an Audit. This Statement on Auditing Standards states a significant deficiency is a\ndeficiency, or a combination of deficiencies, in internal control that is less severe than a material\nweakness, yet important enough to merit attention by those charged with governance. A material\nweakness is a deficiency, or combination of deficiencies, in internal control, such that there is a\nreasonable possibility that a material misstatement of the entity\'s financial statements will not be\nprevented or detected and corrected on a timely basis.\n11\n   DHS provided the definition of a significant deficiency under FISMA in FISM 11-02. The Frequently\nAsked Questions section, p. 8. defines a significant deficiency as a weakness in an agency\xe2\x80\x99s overall\ninformation systems security program or management control structure, or within one or more information\nsystems that significantly restricts the capability of the agency to carry out its mission or compromises the\nsecurity of its information, information systems, personnel, or other resources, operations, or assets. In\nthis context, the risk is great enough that the agency head and outside agencies must be notified and\nimmediate or near-immediate corrective action must be taken.\n\x0cPage 4 - The Commissioner\n\n\nAlthough we concluded that SSA\xe2\x80\x99s security programs were generally consistent with\nFY 2011 FISMA requirements, our review found areas where SSA can improve the\nsecurity over its systems and protection of sensitive information. SSA should ensure\n\n\xe2\x80\xa2     continued improvements in change and access control processes;\n\xe2\x80\xa2     continued improvements in its risk management process;\n\xe2\x80\xa2     proper incident handling and reporting;\n\xe2\x80\xa2     protection of personally identifiable information (PII); 12\n\xe2\x80\xa2     contractors receive security awareness and specialized training;\n\xe2\x80\xa2     continued implementation of its CM strategy; and\n\xe2\x80\xa2     contractor system oversight.\n\nCONTINUED IMPROVEMENTS IN CHANGE AND ACCESS CONTROL PROCESSES\n\nOMB Circular A-123 Significant Deficiency\n\nControlling and limiting systems access to the Agency\xe2\x80\x99s information systems and\nresources is the first line of defense in ensuring the confidentiality, integrity, and\navailability of the Agency\xe2\x80\x99s information resources. 13 Lack of adequate access controls\ncompromises the completeness, accuracy, and validity of the information in the system.\n\nIn FY 2009, our audit of SSA\xe2\x80\x99s financial statements identified a significant deficiency14 in\nthe Agency\xe2\x80\x99s control of access to its sensitive information. 15 In FYs 2010 and 2011,\nGT\xe2\x80\x99s audit of SSA\xe2\x80\x99s financial statements continued to identify a significant deficiency in\nthe Agency\xe2\x80\x99s change control management and access to sensitive information. 16\nSpecifically, GT\xe2\x80\x99s FY 2011 testing disclosed that SSA developed policies and\nprocedures for periodically reassessing the content of security access profiles but has\nnot implemented them consistently Agencywide. In addition, SSA provided some\nemployees and contractors more security permissions than required to complete their\njob responsibilities. Furthermore, GT found that some of the Agency\xe2\x80\x99s software\n12\n   OMB, M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the\nCost for Security in Agency Information Technology Investments, p. 1, July 2006, defines PII as any\ninformation about an individual maintained by an agency, including, but not limited to, education, financial\ntransactions, medical history, and criminal or employment history and information that can be used to\ndistinguish or trace an individual\'s identity, such as their name, Social Security number, date and place of\nbirth, mother\'s maiden name, biometric records, etc., including any other personal information that is\nlinked or linkable to an individual.\n13\n     SSA, Information Systems Security Handbook, Section 2.1.\n14\n     See Footnote 10.\n15\n     SSA OIG, Independent Auditor\xe2\x80\x99s Report on SSA\xe2\x80\x99s FY 2009 Financial Statements, November 9, 2009.\n16\n GT, Independent Auditor\xe2\x80\x99s Report on SSA\xe2\x80\x99s FY 2010 Financial Statements, November 8, 2010 and\nGT, Independent Auditor\xe2\x80\x99s Report on SSA\xe2\x80\x99s FY 2011 Financial Statements, November 7, 2011.\n\x0cPage 5 - The Commissioner\n\n\nconfigurations increased the risk of unauthorized access to SSA\xe2\x80\x99s key financial data and\nprograms.17\n\nGT recommended that SSA management implement (1) policies and procedures that\nrequire a periodic review of the content of all security profiles,18 (2) controls to test and\nmonitor configurations on the mainframe and network operating system environments,\nand (3) procedures that require ongoing monitoring of implemented configurations to\nidentify and address security risks. 19\n\nIn FY 2011, SSA issued two policies 20 and assembled a workgroup to address the\naccess control weaknesses identified in prior years. The workgroup is testing a\ncommercial tool to manage SSA employee and contractor access. The Agency stated\nthat it is finalizing the profile reviewing procedures. In addition, the new tool, when\nimplemented, will automate the process SSA uses to review its security profiles. SSA\nplans to implement the tool in the second quarter of FY 2012 to resolve some of its\naccess control weaknesses.\n\nCONTINUED IMPROVEMENTS IN ITS RISK MANAGEMENT PROCESS\n\nWe found SSA\xe2\x80\x99s risk management 21 program was generally consistent with FY 2011\nFISMA requirements.22 NIST guidance indicates that the Risk Management Framework\nsteps include, among other things, categorizing an agency\xe2\x80\x99s IS and the information\nprocessed, stored, and transmitted by that IS; selecting and implementing proper IS\nsecurity controls; and assessing the effectiveness of these controls. 23 Once IS controls\n\n\n\n17\n     GT, Independent Auditor\xe2\x80\x99s Report on SSA\xe2\x80\x99s FY 2011 Financial Statements, November 7, 2011.\n18\n  A profile is one of SSA\xe2\x80\x99s primary access control mechanisms. Each profile contains a unique mix of\nfacilities and transactions that determines what access to systems resources that specific position needs.\n19\n     See Footnote 17.\n20\n  SSA, Security Profile Administration Processes Final Mainframe Administration Standards, May 10,\n2011, and SSA, Security Profile Administration Processes Profile Naming Conventions, October 28,\n2010.\n21\n  NIST Special Publication (SP) 800-37, Revision 1, Guide for Applying the Risk Management\nFramework to Federal Information Systems, Appendix B, February 2010 p. B-8, defines risk management\nas \xe2\x80\x9cThe process of managing risks to organizational operations (including mission, functions, image,\nreputation), organizational assets, individuals, other organizations, and the Nation, resulting from the\noperation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the\nimplementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the\ncontinuous monitoring of the security state of the information system.\xe2\x80\x9d\n22\n     See Appendix B, Section 1.\n23\n     NIST SP 800-37, Revision 1, supra at pp. 7 and 8.\n\x0cPage 6 - The Commissioner\n\n\nare selected and tested, the IS undergoes a security authorization process to obtain an\napproval to operate. 24\n\nWe determined SSA had conducted security authorizations 25 for its 21 major systems\nand applications 26 in the past 3 years. Further, we reviewed four of the six major\nsystems or applications that underwent a security authorization in FY 2011 and found\nthe process was generally consistent with OMB and NIST guidance. DHS guidance\nprovides that the security authorization process formally authorizes a system to operate\nand provides a systematic approach for assessing security controls to determine their\noverall effectiveness. 27 However, SSA stated that because of budget cuts, it did not\nupdate the System Security Plans (SSP) 28 for two major systems, FALCON Data Entry\nSystem and Security Unified Measurement System, or perform annual security control\ntesting for these two systems, as required by FISMA. 29\n\nThe FALCON Data Entry System is used in SSA\xe2\x80\x99s processing centers to correct or\nupdate mass amounts of SSA benefit payment data by manual data entries. Security\nUnified Measurement System provides SSA managers and analysts information\nrequired to meet strategic business needs, support process reviews and support\ncompliance with government standards for cost accountability. Because the SSPs were\nnot updated and the annual security controls were not tested, the Agency cannot ensure\n(1) the two SSPs continue to reflect the correct security information about the system\nand (2) key security controls continue to operate effectively and efficiently to protect the\nconfidentiality, integrity, and availability of the data contained in these systems.\n\nFY 2011 FISMA guidance states, \xe2\x80\x9c. . . Rather than enforcing a static, three-year\nreauthorization process, agencies are expected to conduct ongoing authorizations of\ninformation systems through the implementation of CM programs.\xe2\x80\x9d30 FISMA guidance\n\n24\n     Id.\n25\n   NIST SP 800-37, Revision 1, supra at pp. B-1 and B-8, defines the security authorization as \xe2\x80\x9cThe\nofficial management decision given by a senior organizational official to authorize operation of an\ninformation system and to explicitly accept the risk to organizational operations (including mission,\nfunctions, image, or reputation),organizational assets, individuals, other organizations, and the Nation\nbased on the implementation of an agreed-upon set of security controls.\xe2\x80\x9d\n26\n     See Appendix E for a list and definitions of the 21 major systems and applications.\n27\n     DHS FISM 11-02, supra, Frequently Asked Questions, Question 25, at p. 10.\n\n28\n  NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems,\nFebruary 2006, p. 39, defines System Security Plan as a \xe2\x80\x9cFormal document that provides an overview of\nthe security requirements for the information system and describes the security controls in place or\nplanned for meeting those requirements.\xe2\x80\x9d\n\n29\n     Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(b)(5), 44 U.S.C. \xc2\xa7 3544(b)(5).\n30\n     DHS FISM 11-02, supra, Frequently Asked Questions, Question 28, p. 10.\n\x0cPage 7 - The Commissioner\n\n\nalso states, \xe2\x80\x9cAgency officials should monitor the security state of their information\nsystems on an ongoing basis with a frequency sufficient to make ongoing risk-based\ndecisions on whether to continue to operate the systems within their organizations.\xe2\x80\x9d 31\nFinally, FISMA guidance indicates that a CM program will help make the security\nauthorization process more dynamic and responsive to today\xe2\x80\x99s Federal missions and\nrapidly changing conditions. 32\n\nWe found SSA was transitioning to this new dynamic process. As of September 2011,\nSSA had issued its CM strategy to establish, implement, and maintain a more robust\nand near real-time program (see additional information in the section related to CM). In\nthe future, we will assess how SSA integrates its CM program with its security\nauthorization program.\n\nPROPER INCIDENT HANDLING AND REPORTING\n\nSSA\xe2\x80\x99s Incident Handling and Reporting program was generally consistent with FY 2011\nFISMA requirements.33 SSA implemented an automated PII Loss Reporting tool34 to\nensure compliance with Federal requirements and address our prior year finding related\nto SSA\xe2\x80\x99s PII incident reporting timeframe. 35 Additionally, we found SSA reported\n100 percent of the PII incidents included in our FY 2011 sample to the United States\nComputer Emergency Readiness Team (US-CERT) within 1 hour. 36 However, our\nreview identified the following weaknesses.\n\n\xe2\x80\xa2     We did not receive any reports of PII incidents for FY 2011.\n\xe2\x80\xa2     SSA policy did not establish a law enforcement reporting timeframe.\n\nFISMA requires that agencies notify and consult law enforcement agencies and their\nOIGs regarding security incidents, as appropriate. 37 FISMA did not define what security\n31\n     DHS FISM 11-02, supra, Frequently Asked Questions, Question 28, p. 11.\n32\n     DHS FISM 11-02, supra, Frequently Asked Questions, Question 32, p. 12.\n33\n     See Appendix B, Section 3.\n34\n  In FY 2010, the Office of the Chief Information Officer implemented an automated PII Loss Reporting\ntool to enable SSA to report a higher percentage of PII incidents to US-CERT within 1 hour.\n35\n   OMB guidance requires that agencies report to US-CERT within 1 hour of discovery/detection any\nunauthorized access to PII or any incident involving PII when (1) an individual gains logical or physical\naccess without permission to a federal agency network, system, application, data, or other resource; or\n(2) there is a suspected or confirmed breach of PII regardless of the manner in which it might have\noccurred. OMB, M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\nInformation, May 22, 2007, p. 10.\n36\n  In FY 2010, according to a sample we tested, SSA reported 80 percent of PII incidents to US-CERT\nwithin 1 hour.\n37\n     Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(b)(7)(C)(i), 44 U.S.C. \xc2\xa7 3544(b)(7)(C)(i).\n\x0cPage 8 - The Commissioner\n\n\nincidents are appropriate to be reported to law enforcement or the OIG. Instead,\nFederal guidance38 advises agencies to discuss with various law enforcement\nrepresentatives conditions under which incidents should be reported to law enforcement\nand OIG, how the incidents should be reported, what evidence should be collected, and\nhow the evidence should be collected.\n\nIn FYs 2009 and 2010, we reported SSA did not report any PII-related incidents to the\nOIG. We also found SSA\xe2\x80\x99s policy and procedures did not provide guidance on what\ntype of security incidents and in what timeframe these incidents must be reported to law\nenforcement and the OIG. We identified the same conditions in FY 2011. Although\nspecific guidance had not been developed, we believe, at a minimum, all security\nincidents SSA deemed appropriate to be reported to law enforcement should have been\nreported to us.\n\nTo resolve this issue, the Agency is working with the OIG\xe2\x80\x99s Office of Technology and\nResource Management to establish guidance for reporting specific security-related\nincidents, including PII. Additionally, the Agency developed its PII Loss Reporting Tool\nto automatically notify the OIG\xe2\x80\x99s Office of Technology and Resource Management of PII\nincidents. However, the OIG did not receive any reports of PII incidents in FY 2011\nbecause of an incorrect email address incorporated into SSA\xe2\x80\x99s PII Loss Reporting Tool.\n\nBecause SSA did not refer any incidents to OIG for investigation, we could not conduct\nany additional investigation, if needed. As a result, we could not conclude that SSA\ntimely resolved these incidents to minimize future damage. 39 We continue to\nrecommend SSA:\n\n1. Work with the OIG to establish policy and procedures on what types of PII incidents\n   should be reported to law enforcement and the OIG and in what timeframes.\n2. Revise its policy, guidance, procedures, and timeframes for reporting of PII incidents\n   to law enforcement, including the OIG.\n\nPROTECTION OF PII\n\nThe Privacy Act of 1974 40 requires that Federal agencies safeguard PII. In addition,\nFISMA requires that agencies protect their information from unauthorized disclosure 41\n\n\n38\n   NIST SP 800-61, Revision 1, Computer Security Incident Handling Guide, Section 2.3.4.2, March 2008,\np. 2-6.\n39\n     See Appendix B, 3.a(5).\n40\n     Pub. L. No. 93-579, as amended, \xc2\xa7 552a(e)(10), 5 U.S.C. \xc2\xa7 552a(e)(10).\n41\n  FISMA requires that agencies protect information collected or maintained by, or on behalf of, agencies\ncommensurate with the risk and magnitude of harm from unauthorized access, use, disclosure,\ndisruption, modification or destruction. Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(a)(1)(A)(i),\n44 U.S.C. \xc2\xa7 3544(a)(1)(A)(i).\n\x0cPage 9 - The Commissioner\n\n\nand OMB has issued several memorandums on how agencies should safeguard PII. 42\nAlthough SSA has established policies and procedures for PII protection, we noted an\nopportunity for improvement.\n\nWe performed a follow-up audit that identified a breach of PII from the Agency\xe2\x80\x99s\npublication of its Death Master File (DMF). 43 We found that SSA continued publishing\nthe DMF with knowledge that the DMF contents included PII of living individuals. SSA\nstated it could not limit the information included in the DMF version sold to the public to\nthe absolute minimum required because deceased individuals do not have privacy\ninterests. The Agency also stated that the number of DMF errors was small relative to\nthe number of death transactions, and that SSA had no evidence of Social Security\nnumber misuse related to these DMF errors. Further, SSA implemented procedures to\nreport erroneous death entry-related PII breaches to US-CERT each week. However,\nwe remain concerned about the potential for harm to the living individuals whose PII is,\nand will be, published in the DMF.\n\nSSA stated that it holds sensitive information about hundreds of millions of people in its\nrecords. SSA further stated while it takes even a small error rate very seriously,\nfocusing on the DMF belies the Agency\xe2\x80\x99s success in protecting the privacy of sensitive\ninformation contained in its records.\n\nCONTRACTORS RECEIVE SECURITY AWARENESS AND SPECIALIZED\nTRAINING\n\nSSA\xe2\x80\x99s security training program was generally consistent with FY 2011 FISMA\nrequirements. 44 SSA made some improvements in its security training program. SSA\ndeveloped additional role-based training guidance for personnel with significant security\nresponsibilities in FY 2011. Additionally, the Agency required that its employees\ncomplete their FY 2011 annual security awareness training through an automated\ninteractive program. Moreover, in FY 2012, the Office of Information Security (OIS) is\nstrengthening its training program by creating and delivering managerial and executive\ninformation security training in FY 2012.\n\nHowever, we found the Agency did not require that contractors complete annual\nsecurity awareness training through this interactive program. The Agency plans to\n\n42\n   OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006; M-06-16,\nProtection of Sensitive Agency Information, June 23, 2006; M-07-16, Safeguarding Against and\nResponding to the Breach of Personally Identifiable Information, May 22, 2007; and M-06-19, Reporting\nIncidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency\nInformation Technology Investments, July 12, 2006.\n43\n SSA OIG, Follow-up: Personally Identifiable Information Made Available to the Public Via the Death\nMaster File (A-06-10-20173), March 2011. SSA maintains a record of reported deaths known as the\nDMF, which is provided to public and private customers.\n44\n     See Appendix B, Section 4.\n\x0cPage 10 - The Commissioner\n\n\nrequire that contractors use this automated program next FY. Although the Agency\xe2\x80\x99s\nsecurity training program is generally consistent with FY 2011 FISMA requirements, we\nidentified some weaknesses related to security training for SSA\xe2\x80\x99s contractors.\n\n\xe2\x80\xa2     SSA did not ensure all contractor personnel received and completed annual security\n      awareness training. 45\n\xe2\x80\xa2     SSA did not maintain a comprehensive list of all contractors with significant security\n      responsibilities; as a result, SSA could not ensure all such contractors received\n      appropriate specialized training. 46\n\nSSA policy requires that contractor personnel annually sign a Personnel Security\nCertification form to certify completion and comprehension of the Agency\xe2\x80\x99s security\nawareness training requirements.47 We requested the Personnel Security Certification\nforms for a sample of 30 contractors. SSA provided 11 forms. For the other 19, the\nAgency had 11 contractors sign and date the form after our request but did not provide\nthe other 8 forms. We also found that SSA did not define a timeframe for each\ncontractor to complete the certification form.\n\nAs a result, contractors may have access to systems and data without proper security\ntraining and certification. In addition, we do not believe the contractor\xe2\x80\x99s signature on the\ncertification form is an effective control for ensuring the contractor took the appropriate\nsecurity awareness training, because the contractor could sign the form without taking\nthe training.\n\n\n\n\n45\n   FISMA requires each agency head to ensure that that the agency has trained personnel sufficient to\nassist the agency in complying with the requirements of this subchapter [44 USCS \xc2\xa7\xc2\xa7 3541 et seq.] and\nrelated policies, procedures, standards, and guidelines. It also requires agencies to have an agency-wide\ninformation security program that includes security awareness training to inform personnel, including\ncontractors and other users of information systems that support the operations and assets of the agency,\nof--\n     (A) information security risks associated with their activities; and\n     (B) their responsibilities in complying with agency policies and procedures designed to reduce these\nrisks. Pub. L. No. 107-347, Title III, Section 301(b) \xc2\xa7\xc2\xa7 3544(a)(4) and (b)(4), 44 U.S.C. \xc2\xa7\xc2\xa7 3544(a)(4) and\n(b)(4). In addition, NIST SP 800-50, Building an Information Technology Security Awareness and Training\nProgram, October 2003, Footnote 13, p. 20, states \xe2\x80\x9c[a]t a minimum, the entire workforce should be\nexposed to awareness material annually.\xe2\x80\x9d\n46\n  FISMA requires that the agency Chief Information Officer ensure compliance with FISMA requirements,\nincluding training and overseeing personnel with significant responsibilities for information security with\nrespect to such responsibilities. Pub. L. No. 107-347, Title III, Section 301(b) \xc2\xa7 3544(a)(3)(D), 44 U.S.C.\n\xc2\xa7 3544(a)(3)(D).\n47\n     SSA, Information Systems Security Handbook, Appendix B, Roles and Responsibilities.\n\x0cPage 11 - The Commissioner\n\nFurther, we could not determine whether SSA\xe2\x80\x99s contractors with significant information\nsecurity responsibilities 48 received specialized training or whether such training\ncontained appropriate content based on organizational roles. We requested, but were\nunable to obtain, a comprehensive list of contractors with significant information security\nresponsibilities. SSA staff stated that the Agency does not have sufficient guidance on\ncategorizing contractors with significant information security responsibilities. Moreover,\nSSA staff stated that each component subjectively categorized contractors with\nsignificant information security responsibilities. As a result, SSA could not provide a\ncomprehensive list that included all contractors with significant information security\nresponsibilities and SSA does not know whether all such contractors received\nappropriate specialized training.\n\nWe recommend SSA establish a timeframe for contractor personnel to complete\nsecurity awareness training. Furthermore, the Agency should ensure all contractor\npersonnel complete security awareness training before gaining access to Agency\nsystems. In addition, we recommend the Agency provide additional guidance to assist\nSSA components to identify contractors with significant information security\nresponsibilities and ensure these contractors received specialized training.\n\n\n\n\n48\n   SSA defined its employees and contractors with significant security responsibilities as Level 3\npersonnel. Level 3 personnel are \xe2\x80\x9cEmployees with high levels of access to sensitive data who could\naffect agency-wide operations and/or who perform security, investigative, or auditing activities on a\nfrequent basis. Personnel in these roles have significant access to sensitive information, such as social\nsecurity records, medical records, business confidential documents, and other personally identifiable\ninformation, which needs to be protected against unauthorized access; fraudulent activities; and\ninappropriate disclosure and modification.\xe2\x80\x9d SSA, Information Systems Security Handbook, Appendix H,\nSecurity Training.\n\x0cPage 12 - The Commissioner\n\n\nCONTINUED IMPLEMENTATION OF ITS CM STRATEGY\n\nSSA\xe2\x80\x99s CM program was generally consistent with FY 2011 FISMA requirements.49\nNIST established new guidelines for CM in August 2009. 50 The NIST control for CM\nprovides that the organization establishes a CM strategy and implements a CM program\nthat includes\n\n\xe2\x80\xa2     a configuration management process for the IS and its constituent components;\n\xe2\x80\xa2     a determination of the security impact of changes to the IS and the environment of\n      operation;\n\xe2\x80\xa2     ongoing security control assessments in accordance with the organizational CM\n      strategy; and\n\xe2\x80\xa2     reporting the security state of the IS to appropriate organizational officials. 51\n\nSSA has documented CM policies and procedures and developed and issued its\nStrategy for Information Security Program Continuous Monitoring, on\nSeptember 16, 2011 to ensure compliance with all new requirements related to CM.\nThe strategy is driven by the need to dynamically monitor the Agency\xe2\x80\x99s security posture\nand provide real-time awareness of threats, vulnerabilities, and risks. This strategy\nidentified gaps between the Agency\xe2\x80\x99s existing CM program and existing and anticipated\nrequirements and provided a road map to achieve SSA\xe2\x80\x99s goals.\n\nIn addition, SSA has implemented CM for most of its core information processing\nenvironment. 52 While SSA generally had a consistent CM program and process, we\ndetermined there were opportunities for improvement in the Agency\xe2\x80\x99s CM program and\nprocess in the following areas.\n\n49\n     See Appendix B, Section 8.\n50\n   NIST, SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and\nOrganizations, pp. F-36 and F-37, August 2009. This guidance also provides that: \xe2\x80\x9cA continuous\nmonitoring program allows an organization to maintain the security authorization of an information system\nover time in a highly dynamic environment of operation with changing threats, vulnerabilities,\ntechnologies, and missions/business processes. Continuous monitoring of security controls using\nautomated support tools facilitates near real-time risk management and promotes organizational\nsituational awareness with regard to the security state of the information system. The implementation of a\ncontinuous monitoring program results in ongoing updates to the security plan, the security assessment\nreport, and the plan of action and milestones, the three principal documents in the security authorization\npackage. A rigorous and well executed continuous monitoring program significantly reduces the level of\neffort required for the reauthorization of the information system. Continuous monitoring activities are\nscaled in accordance with the impact level of the information system.\xe2\x80\x9d\n51\n     NIST SP 800-53, Revision 3, supra at pp. F-36 and F-37.\n52\n   SSA Enterprise Wide Mainframe & Distributed Network Telecommunications Services System\n(EWANS) System Security Plan (SSP), Section 1.10, defines core information processing environment as\na combination of mainframe processors, UNIX computers, Microsoft Windows servers and desktops for\nits core information processing, p. 4, September 28, 2011.\n\x0cPage 13 - The Commissioner\n\n\n\n\xe2\x80\xa2     SSA had not implemented a CM process for some of its servers in FY 2011 because\n      it finalized the configuration guide for these servers in September 2011.\n\xe2\x80\xa2     Some of SSA\xe2\x80\x99s CM data were not readily accessible to the Chief Information\n      Security Officer (CISO). 53 For example, the reportable data for SSA\xe2\x80\x99s configuration\n      and vulnerability management tools for mainframe and some network assets is not\n      readily accessible to the CISO.\n\nMoreover, in SSA\xe2\x80\x99s FY 2009 Financial Statement Audit, GT identified that SSA did not\nhave a formal process to detect and remove unauthorized software from all of its\nworkstations. Our prior evaluation identified a similar finding. 54 This issue continues to\nexist in FY 2011. The above weaknesses may negatively impact SSA\xe2\x80\x99s ability to\ncorrectly measure and timely remediate security vulnerabilities. For example, GT\xe2\x80\x98s\ninternal penetration testing 55 performed during its audit of SSA\xe2\x80\x99s FY 2011 financial\nstatements identified some security weaknesses. We communicated the details of\nthese weaknesses to the Agency. SSA is implementing CM tools for some of these\nweaknesses. However, these security weaknesses may have been discovered had the\nAgency implemented additional CM process for some of its applications and servers\nsooner. Further, the limited accessibility of CM data provided to SSA\xe2\x80\x99s CISO may\nimpact his effectiveness to oversee the Agency\xe2\x80\x99s security program.\n\nIn addition, although NIST guidance promotes the concept of near real-time risk\nmanagement, 56 SSA has limited real-time automated monitoring and reporting capacity.\nAs indicated in SSA\xe2\x80\x99s CM strategy, the absence of automated tools makes security\nmetrics difficult to generate and labor intensive, and there are increased opportunities\nfor human error. Adopting automated tools that consolidate CM information will reduce\nthe burden of collecting data, increase the quality of data, and promote near real-time\nCM.\n\n\n\n53\n   OMB guidance states that \xe2\x80\x9c[a]gencies need to be able to continuously monitor security-related\ninformation from across the enterprise in a manageable and actionable way. Chief Information Officers\n(CIOs), Chief Information Security Officers (CISOs), and other Agency management all need to have\ndifferent levels of this information presented to them in ways that enable timely decision making.\xe2\x80\x9d OMB\nMemorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management\nAct and Agency Privacy Management, p. 1, April 21, 2010.\n54\n  OIG reported SSA employees and contractors did not comply with the Agency\xe2\x80\x99s software approval\npolicy. SSA OIG, The Social Security Administration\xe2\x80\x99s Approval and Monitoring of the Use of Software,\n(A-14-10-21082), October 2010, p.4.\n55\n   Penetration testing is security testing in which assessors mimic real-world attacks to identify methods\nfor circumventing the security features of an application, system, or network. Internal penetration testing\nduring SSA\xe2\x80\x99s financial statement audit was performed by a tester as an "insider" without specific\ninformation about SSA information systems environment and with access to SSA facilities.\n56\n     NIST SP 800-37, Revision 1, supra at p. 2 and NIST SP 800-53, Revision 3, supra at p. F-36.\n\x0cPage 14 - The Commissioner\n\n\nNIST guidance provides that \xe2\x80\x9c. . . [t]he implementation of a robust continuous monitoring\nprogram allows an organization to understand the security state of the information\nsystem over time and maintain the initial security authorization in a highly dynamic\nenvironment of operation with changing threats, vulnerabilities, technologies, and\nmissions/business functions.\xe2\x80\x9d 57\n\nWe recommend SSA ensure implementation of its Strategy for Information Security\nProgram Continuous Monitoring to fully meet the current and anticipated Federal\nrequirements and address all gaps identified in the CM strategy and this report. In\naddition, SSA should ensure the CISO has access to all Agency CM data.\n\nCONTRACTOR SYSTEM OVERSIGHT\n\nWe determined SSA\xe2\x80\x99s contractor system 58 oversight program was generally consistent\nwith FISMA requirements for FY 2011. 59 However, we identified some areas that need\nimprovement. We found the following weaknesses.\n\n\xe2\x80\xa2     SSA\xe2\x80\x99s Master System Inventory did not identify all contractor systems.\n\xe2\x80\xa2     SSA did not ensure that all contractor systems met FISMA requirements before\n      putting them into operation.\n\xe2\x80\xa2     SSA\xe2\x80\x99s contracts still did not include all FISMA requirements. 60\n\nSSA\xe2\x80\x99s FY 2011 Master System Inventory identified eight contractor systems. However,\nwe found this inventory did not include all contractor systems.61 These systems are a\ncard production system, operated by a SSA contractor; E2 Solutions, operated by the\nGeneral Services Administration; 62 and Cyber Security Assessment and Management\n(CSAM), 63 operated by the Department of Justice. 64\n\nSSA stated E2 Solutions and CSAM should be excluded from the Agency\xe2\x80\x99s inventory\nbecause (1) SSA is not responsible for the security authorization of the two systems,\n\n57\n     NIST SP 800-37, Revision 1, supra at p. 26.\n58\n     Contractor systems are provided or managed by another agency, contractor, or other source.\n59\n     See Appendix B, Section 10.\n60\n     OMB M-11-33, supra, Frequently Asked Questions section, Question 38, pp. 14 and 15.\n61\n     SSA did not include CSAM and E2 Solutions in its system inventory.\n62\n     E2 Solutions is the travel system adopted by SSA.\n63\n  CSAM is SSA\xe2\x80\x99s FISMA tracking tool. CSAM enables the Agency and SSA\xe2\x80\x99s C&A Managers to gather\nsystem information and to create reports to support the FISMA assessment. SSA also uses CSAM for\nmanaging the identified information security weaknesses.\n64\n     In FY 2011, OIG found the Agency excluded CSAM and E2 Solutions from the inventory.\n\x0cPage 15 - The Commissioner\n\n\nand (2) SSA has no \xe2\x80\x9csystem-to-system\xe2\x80\x9d connection with CSAM. However, FISMA\nspecifically requires that each agency provide information security protections for\n(i) information collected or maintained by or on behalf of the agency; and (ii) information\nsystems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency. 65 In addition, NIST guidance defers to OMB to\nprovide guidance for the agency system inventory development and associated\nreporting requirements. 66 DHS began exercising FISMA responsibilities on behalf of\nOMB. DHS guidance requires the OIG to evaluate whether the Agency has established\na program that includes a complete inventory of systems operated by contractors or\nother entities on the Agency\xe2\x80\x99s behalf. 67\n\nAs a result, we believe SSA should include these systems in its Master Systems\nInventory because SSA needs to ensure it obtains sufficient assurance that security\ncontrols of such systems are effectively implemented and comply with Federal and\nAgency guidelines. 68\n\nMoreover, for FY 2011, we found that SSA performed steps to confirm that the\nDepartment of Justice and the General Services Administration completed the security\nauthorization for E2 and CSAM. However, the Agency did not perform steps to confirm\nthat the contractor card production system had a security authorization.\n\nWe discussed this issue with the OIS. OIS staff stated although the contractor system\nis part of SSA\xe2\x80\x99s Security Management Access Control System 69 (SMACS), the Agency\ndecided not to include the contractor system as a subsystem of SMACS because there\nwas no direct \xe2\x80\x9csystem-to-system\xe2\x80\x9d connection between SSA and the contractor but\nsimply information sharing. As a result, SSA did not ensure completion of a security\nauthorization for this system.\n\nWe do not agree with OIS. The contractor system processes PII used to create SSA\xe2\x80\x99s\nHomeland Security Presidential Directive 12 70 (HSPD-12) employee and contractor\n\n65\n  Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(a)(1)(A), 44 U.S.C. \xc2\xa7 3544(a)(1)(A). FISMA provides\nfor such protections commensurate with the risk and magnitude of the harm resulting from unauthorized\naccess, use, disclosure, disruption, modification, or destruction of such information. Id.\n66\n     NIST SP 800-53, Revision 3, supra at page G-3, PM-5.\n67\n     DHS, FY 2011 Inspector General FISMA Reporting, Version 1.0, \xc2\xa7 10.a(3), June 1, 2011.\n68\n     DHS, supra, \xc2\xa7 10.a(2).\n69\n  SMACS is a major Agency application that securely gathers and stores privacy-related data for\nemployment and, in certain cases, clearances.\n70\n  HSPD-12 requires the development and implementation of a mandatory, Government-wide standard\nfor secure and reliable forms of identification for Federal employees and contractors. OMB M-05-24\nImplementation of Homeland Security Presidential Directive (HSPD) 12-Policy for a Common\nIdentification Standard for Federal Employees and Contractors, August 5, 2005, p.1.\n\x0cPage 16 - The Commissioner\n\n\ncredentials. As part of the credential creation process, SSA electronically transmits\ndata files 71 containing PII to the contractor for the production of the credentials. At the\nend of the process, SSA receives the HSPD-12 credentials containing PII for its\nemployees and contractors.\n\nIn addition, the SMACS SSP describes the contractor\xe2\x80\x99s services provided to SSA to\nimplement the Agency\xe2\x80\x99s HSPD-12 program. Federal HSPD-12 guidance requires that\nall systems involved in the HSPD-12 process comply with security authorization\nrequirements. 72 Since the contractor\xe2\x80\x99s system is used to implement HSPD-12, the\nsystem must comply with the security authorization requirements.\n\nFurther, in one of our current reviews, 73 we found SSA did not conduct a security\nauthorization on this contractor system or obtain sufficient assurance that appropriate\ncontrols were implemented and working effectively to protect the PII entrusted to the\ncontractor. In addition, SSA did not include all FISMA security requirements in the\ncontract. Although we found the contractor had implemented security controls, SSA\ncould not require that the contractor continue maintaining these controls without the\nproper contract requirements.\n\nWe reiterate our prior recommendations for SSA to include all contractor systems in its\nsystem inventory and ensure all appropriate contracts include Federal security\nrequirements.\n\nCONCLUSIONS AND RECOMMENDATIONS\nBased on the results of OIG and GT\xe2\x80\x99s work, we believe SSA\xe2\x80\x99s information security\nprograms and practices were generally consistent with FISMA requirements; however,\nsome improvements are needed. SSA continues to work with us to identify ways of\ncomplying with FISMA. The Agency continues developing, implementing, and operating\nsecurity controls to protect its sensitive data, assets, and operations.\n\nIn our prior FISMA reports, we identified issues related to SSA\xe2\x80\x99s (1) computer security\nprogram, (2) access controls, (3) strategic planning, (4) protection of PII, (5) vulnerability\nremediation process, (6) contractor security awareness training, (7) incident reporting,\n(8) security authorization process, (9) contingency planning, and (10) contractor\nsystems oversight. We affirm our prior recommendations in these areas and encourage\nthe Agency to continue to implement them.\n\nSSA should continue strengthening its overall security program and practices and\n71\n  The files contain SSA employee or contractor\xe2\x80\x99s first name, middle initial, last name, card expiration\ndate, agency affiliation, and photograph.\n72\n Federal Information Processing Standards Publication 201, Personal Identity Verification of Federal\nEmployees and Contractors, March 2006, p. 64.\n73\n  SSA OIG, Contractor Security of the Social Security Administration\'s Homeland Security Presidential\nDirective-12 Credentials (A-14-11-11106). This report has not been issued to date..\n\x0cPage 17 - The Commissioner\n\n\nensure future compliance with FISMA and other information security related laws and\nregulations. Therefore, we recommend SSA:\n\n1. Establish a timeframe for contractor personnel to complete security awareness\n   training and ensure all contractor personnel complete security awareness training\n   before being granted access to Agency systems;\n2. Provide additional guidance to assist SSA components to identify contractors with\n   significant information security responsibilities and ensure these contractors\n   received specialized training;\n3. Ensure implementation of its Strategy for Information Security Program Continuous\n   Monitoring to fully meet the current and anticipated Federal requirements and\n   address all gaps identified in the strategy and this report; and\n4. Ensure the CISO has access to all Agency CM data.\n\n\n\n\n                                        Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Office of the Inspector General Response to Federal Information\n             Security Management Act of 2002 Metrics\nAPPENDIX C \xe2\x80\x93 Background and Current Security Status\nAPPENDIX D \xe2\x80\x93 Scope and Methodology\nAPPENDIX E \xe2\x80\x93 The Social Security Administration\xe2\x80\x99s Major Systems\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                               Appendix A\n\nAcronyms\nCISO          Chief Information Security Officer\nCM            Continuous Monitoring\nCSAM          Cyber Security Assessment and Management\nDHS           Department of Homeland Security\nDMF           Death Master File\nFISM          Federal Information Security Memorandum\nFISMA         Federal Information Security Management Act of 2002\nFY            Fiscal Year\nGT            Grant Thornton LLP\nHSPD-12       Homeland Security Presidential Directive 12\nIG            Inspector General\nIS            Information Systems\nNIST          National Institute of Standards and Technology\nOIG           Office of the Inspector General\nOIS           Office of Information Security\nOMB           Office of Management and Budget\nPII           Personally Identifiable Information\nPub. L. No.   Public Law Number\nPOA&M         Plan of Action and Milestones\nSMACS         Security Management Access Control System\nSP            Special Publication\nSSA           Social Security Administration\nSSP           System Security Plan\nU.S.C.        United States Code\nUS-CERT       United States Computer Emergency Readiness Team\n\x0c                                                                         Appendix B\nOffice of the Inspector General Response to Federal\nInformation Security Management Act of 2002 Metrics\n Section 1: RISK MANAGEMENT\n\n1.a. The Agency has established and is maintaining a risk management program that is\n     consistent with FISMA requirements, OMB policy, and applicable NIST guidelines.\n     Although improvement opportunities may have been identified by the OIG, the\n     program includes the following attributes:\n\n      1.a(1) Documented and centrally accessible policies and procedures for risk\n             management, including descriptions of the roles and responsibilities of\n             participants in this process.\n             Yes\n      1.a(2) Addresses risk from an organization perspective with the development of a\n             comprehensive governance structure and organization-wide risk\n             management strategy as described in NIST 800-37, Rev.1.\n             Yes\n      1.a(3) Addresses risk from a mission and business process perspective and is guided\n             by the risk decisions at the organizational perspective, as described in NIST\n             800-37, Rev.1.\n             Yes\n      1.a(4) Addresses risk from an information system perspective and is guided by the\n             risk decisions at the organizational perspective and the mission and business\n             perspective, as described in NIST 800-37, Rev. 1.\n             Yes\n      1.a(5) Categorizes information systems in accordance with government policies.\n             Yes\n      1.a(6) Selects an appropriately tailored set of baseline security controls.\n             Yes\n      1.a(7) Implements the tailored set of baseline security controls and describes how\n             the controls are employed within the information system and its environment\n             of operation.\n             Yes\n             Comments: Due to budget cuts, the Social Security Administration (SSA)\n             stated that it did not update the System Security Plans for two of its general\n             support systems and did not perform annual security tests on them.\n\n                                           B-1\n\x0c      1.a(8) Assesses the security controls using appropriate assessment procedures to\n             determine the extent to which the controls are implemented correctly,\n             operating as intended, and producing the desired outcome with respect to\n             meeting the security requirements for the system.\n             Yes\n      1.a(9) Authorizes information system operation based on a determination of the\n             risk to organizational operations and assets, individuals, other organizations,\n             and the Nation resulting from the operation of the information system and\n             the decision that this risk is acceptable.\n             Yes\n     1.a(10) Ensures information security controls are monitored on an ongoing basis\n             including assessing control effectiveness, documenting changes to the system\n             or its environment of operation, conducting security impact analyses of the\n             associated changes, and reporting the security state of the system to\n             designated organizational officials.\n             Yes\n     1.a(11) Information system specific risks (tactical), mission/business specific risks\n             and organizational level (strategic) risks are communicated to appropriate\n             levels of the organization.\n             Yes\n     1.a(12) Senior Officials are briefed on threat activity on a regular basis by\n             appropriate personnel. (e.g., CISO).\n              Yes\n     1.a(13) Prescribes the active involvement of information system owners and common\n             control providers, chief information officers, senior information security\n             officers, authorizing officials, and other roles as applicable in the ongoing\n             management of information system-related security risks.\n              Yes\n     1.a(14) Security authorization package contains system security plan, security\n             assessment report, and POA&M in accordance with government policies.\n              Yes\n\n Section 2: CONFIGURATION MANAGEMENT\n\n\n2.a. The Agency has established and is maintaining a security configuration management\n     program that is consistent with FISMA requirements, OMB policy, and applicable\n     NIST guidelines. Although improvement opportunities may have been identified by the\n     OIG, the program includes the following attributes:\n      2.a(1) Documented policies and procedures for configuration management.\n             Yes\n\n                                           B-2\n\x0c      2.a(2) Standard baseline configurations defined.\n             Yes\n             Comments: The Agency has established baseline configurations for most,\n             but not all environments. SSA does not have configuration baselines for two\n             systems.\n      2.a(3) Assessing for compliance with baseline configurations.\n             Yes\n             Comments: We identified some weaknesses with SSA\xe2\x80\x99s monitoring of\n             configuration settings.\n      2.a(4) Process for timely, as specified in Agency policy or standards, remediation of\n             scan result deviations.\n             Yes\n      2.a(5) For Windows-based components, FDCC/USGCB secure configuration\n             settings fully implemented and any deviations from FDCC/USGCB baseline\n             settings fully documented.\n             Yes\n      2.a(6) Documented proposed or actual changes to hardware and software\n             configurations.\n             Yes\n      2.a(7) Process for timely and secure installation of software patches.\n             Yes\n\n Section 3: INCIDENT RESPONSE AND REPORTING\n\n\n3.a. The Agency has established and is maintaining an incident response and reporting\n     program that is consistent with FISMA requirements, OMB policy, and applicable\n     NIST guidelines. Although improvement opportunities may have been identified by the\n     OIG, the program includes the following attributes:\n      3.a(1) Documented policies and procedures for detecting, responding to and\n             reporting incidents.\n             Yes\n             Comments: SSA can improve its incident response and reporting program\n             by establishing additional guidance on reporting incidents to the Office of the\n             Inspector General (OIG) and law enforcement.\n      3.a(2) Comprehensive analysis, validation and documentation of incidents.\n             Yes\n      3.a(3) When applicable, reports to US-CERT within established timeframes.\n             Yes\n\n                                           B-3\n\x0c      3.a(4) When applicable, reports to law enforcement within established timeframes.\n             No\n             Comments: SSA does not have an established timeframe for reporting\n             incidents to law enforcement or the OIG. Additionally, SSA did not report\n             any PII incidents to OIG due to an incorrect email address in its system.\n      3.a(5) Responds to and resolves incidents in a timely manner, as specified in Agency\n             policy or standards, to minimize further damage.\n             Yes\n             Comments: SSA reports security incidents to the United States Computer\n             Emergency Readiness Team timely. However, SSA has not established a\n             timeframe to report security related incidents to law enforcement and the\n             OIG. In addition, OIG did not receive any referrals for further\n             investigation.\n      3.a(6) Is capable of tracking and managing risks in a virtual/cloud environment, if\n             applicable.\n             Yes\n             Comments: SSA does not use virtual/cloud environments.\n      3.a(7) Is capable of correlating incidents.\n             Yes\n\n Section 4: SECURITY TRAINING\n\n\n4.a. The Agency has established and is maintaining a security training program that is\n     consistent with FISMA requirements, OMB policy, and applicable NIST guidelines.\n     Although improvement opportunities may have been identified by the OIG, the\n     program includes the following attributes:\n      4.a(1) Documented policies and procedures for security awareness training.\n             Yes\n      4.a(2) Documented policies and procedures for specialized training for users with\n             significant information security responsibilities.\n             Yes\n      4.a(3) Security training content based on the organization and roles, as specified in\n             Agency policy or standards.\n             Yes\n      4.a(4) Identification and tracking of the status of security awareness training for all\n             personnel (including employees, contractors, and other Agency users) with\n             access privileges that require security awareness training.\n             No\n\n\n                                           B-4\n\x0c             Comments: SSA currently does not track security awareness training for\n             contractors. SSA stated it would have an automated system to track security\n             awareness training next fiscal year.\n\n      4.a(5) Identification and tracking of the status of specialized training for all\n             personnel (including employees, contractors, and other Agency users) with\n             significant information security responsibilities that require specialized\n             training.\n             No\n             Comments: SSA was not able to provide a comprehensive list of contractors\n             with significant information security responsibilities. Therefore, we were\n             unable to test this area.\n\n Section 5: POA&M\n\n\n5.a. The Agency has established and is maintaining a POA&M program that is consistent\n     with FISMA requirements, OMB policy, and applicable NIST guidelines and tracks\n     and monitors known information security weaknesses. Although improvement\n     opportunities may have been identified by the OIG, the program includes the following\n     attributes:\n      5.a(1) Documented policies and procedures for managing IT security weaknesses\n             discovered during security control assessments and requiring remediation.\n             Yes\n      5.a(2) Tracks, prioritizes and remediates weaknesses.\n             Yes\n      5.a(3) Ensures remediation plans are effective for correcting weaknesses.\n             Yes\n      5.a(4) Establishes and adheres to milestone remediation dates.\n             Yes\n      5.a(5) Ensures resources are provided for correcting weaknesses.\n             Yes\n      5.a(6) Program officials and contractors report progress on remediation to CIO on\n             a regular basis, at least quarterly, and the CIO centrally tracks, maintains,\n             and independently reviews/validates the POA&M activities at least\n             quarterly.\n             Yes\n\n Section 6: REMOTE ACCESS MANAGEMENT\n\n\n\n\n                                          B-5\n\x0c6.a. The Agency has established and is maintaining a remote access program that is\n     consistent with FISMA requirements, OMB policy, and applicable NIST guidelines.\n     Although improvement opportunities may have been identified by the OIG, the\n     program includes the following attributes:\n      6.a(1) Documented policies and procedures for authorizing, monitoring, and\n             controlling all methods of remote access.\n             Yes\n      6.a(2) Protects against unauthorized connections or subversion of authorized\n             connections.\n             Yes\n      6.a(3) Users are uniquely identified and authenticated for all access.\n             Yes\n      6.a(4) If applicable, multi-factor authentication is required for remote access.\n             Yes\n      6.a(5) Authentication mechanisms meet NIST Special Publication 800-63 guidance\n             on remote electronic authentication, including strength mechanisms.\n             Yes\n      6.a(6) Defines and implements encryption requirements for information\n             transmitted across public networks.\n             Yes\n      6.a(7) Remote access sessions, in accordance to OMB M-07-16, are timed-out after\n             30 minutes of inactivity after which re-authentication are required.\n             Yes\n\n Section 7: IDENTITY AND ACCESS MANAGEMENT\n\n\n7.a. The Agency has established and is maintaining an identity and access management\n     program that is consistent with FISMA requirements, OMB policy, and applicable\n     NIST guidelines and identifies users and network devices. Although improvement\n     opportunities may have been identified by the OIG, the program includes the following\n     attributes:\n      7.a(1) Documented policies and procedures for account and identity management.\n             Yes\n      7.a(2) Identifies all users, including federal employees, contractors, and others who\n             access Agency systems.\n             Yes\n      7.a(3) Identifies when special access requirements (e.g., multi-factor authentication)\n             are necessary.\n\n\n                                           B-6\n\x0c             Yes\n      7.a(4) If multi-factor authentication is in use, it is linked to the Agency\'s PIV\n             program where appropriate.\n             Yes\n      7.a(5) Ensures that the users are granted access based on needs and separation of\n             duties principles.\n             Yes\n             Comments: We identified some weaknesses with SSA\xe2\x80\x99s process to ensure\n             that users are granted access based on need and the separation of duties\n             principles.\n      7.a(6) Identifies devices that are attached to the network and distinguishes these\n             devices from users.\n             Yes\n             Comments: We identified some weaknesses with SSA\xe2\x80\x99s process to identify\n             devices attached to its network.\n      7.a(7) Ensures that accounts are terminated or deactivated once access is no longer\n             required.\n             Yes\n             Comments: We identified some weaknesses with SSA\xe2\x80\x99s process to ensure\n             that accounts are terminated or deactivated once access is no longer\n             required.\n      7.a(8) Identifies and controls use of shared accounts.\n             Yes\n             Comments: SSA stated that it does not allow users to share accounts.\n\n Section 8: CONTINUOUS MONITORING MANAGEMENT\n\n\n8.a. The Agency has established an enterprise-wide continuous monitoring program that\n       assesses the security state of information systems that is consistent with FISMA\n       requirements, OMB policy, and applicable NIST guidelines. Although improvement\n       opportunities may have been identified by the OIG, the program includes the\n       following attributes:\n      8.a(1) Documented policies and procedures for continuous monitoring.\n             Yes\n      8.a(2) Documented strategy and plans for continuous monitoring.\n             Yes\n\n\n\n\n                                            B-7\n\x0c       8.a(3) Ongoing assessments of security controls (system-specific, hybrid, and\n              common) that have been performed based on the approved continuous\n              monitoring plans.\n              Yes\n              Comments: SSA has not implemented configuration monitoring tools for\n              some of its servers.\n       8.a(4) Provides authorizing officials and other key system officials with security\n              status reports covering updates to security plans and security assessment\n              reports, as well as POA&M additions and updates with the frequency\n              defined in the strategy and/or plans.\n              Yes\n\n              Comments: There are Continuous Monitoring data not readily accessible to\n              SSA\xe2\x80\x99s Chief Information Security Officer.\n\n Section 9: CONTINGENCY PLANNING\n\n\n9.a. The Agency established and is maintaining an enterprise-wide business\n     continuity/disaster recovery program that is consistent with FISMA requirements,\n     OMB policy, and applicable NIST guidelines. Although improvement opportunities\n     may have been identified by the OIG, the program includes the following attributes:\n       9.a(1) Documented business continuity and disaster recovery policy providing the\n              authority and guidance necessary to reduce the impact of a disruptive event\n              or disaster.\n              Yes\n       9.a(2) The Agency has performed an overall Business Impact Analysis (BIA).\n              Yes\n              Comments: SSA\xe2\x80\x99s last Business Impact Analysis was conducted in 2004.\n       9.a(3) Development and documentation of division, component, and IT\n              infrastructure recovery strategies, plans and procedures.\n              Yes\n              Comments: The contingency plan for one system has remained in draft form\n              since Fiscal Year 2008.\n       9.a(4) Testing of system specific contingency plans.\n              Yes\n              Comments: SSA\xe2\x80\x99s disaster recovery exercise included 19 of the Agency\xe2\x80\x99s 21\n              major systems and applications.\n       9.a(5) The documented business continuity and disaster recovery plans are in place\n              and can be implemented when necessary.\n\n\n                                            B-8\n\x0c             Yes\n      9.a(6) Development of test, training, and exercise (TT&E) programs.\n             Yes\n      9.a(7) Performance of regular ongoing testing or exercising of business\n             continuity/disaster recovery plans to determine effectiveness and to maintain\n             current plans.\n             Yes\n\n Section 10: CONTRACTOR SYSTEMS\n\n\n10.a. The Agency has established and maintains a program to oversee systems operated on\n      its behalf by contractors or other entities, including Agency systems and services\n      residing in the cloud external to the Agency. Although improvement opportunities\n      may have been identified by the OIG, the program includes the following attributes:\n      10.a(1) Documented policies and procedures for information security oversight of\n              systems operated on the Agency\'s behalf by contractors or other entities,\n              including Agency systems and services residing in public cloud.\n               Yes\n      10.a(2) The Agency obtains sufficient assurance that security controls of such\n              systems and services are effectively implemented and comply with federal\n              and agency guidelines.\n               Yes\n               Comments: We found one contractor system where SSA did not comply\n               with the Federal requirements for contractor system oversight.\n      10.a(3) A complete inventory of systems operated on the Agency\'s behalf by\n              contractors or other entities, including Agency systems and services\n              residing in public cloud.\n               No\n               Comments: We found three contractor systems not included in the\n               Agency\xe2\x80\x99s master systems inventory. The Agency does not have any systems\n               located in a public cloud.\n      10.a(4) The inventory identifies interfaces between these systems and Agency-\n              operated systems.\n               Yes\n      10.a(5) The Agency requires appropriate agreements (e.g., MOUs, Interconnection\n              Security Agreements, contracts, etc.) for interfaces between these systems\n              and those that it owns and operates.\n               Yes\n      10.a(6) The inventory of contractor systems is updated at least annually.\n\n                                          B-9\n\x0c               Yes\n      10.a(7) Systems that are owned or operated by contractors or entities, including\n              Agency systems and services residing in public cloud, are compliant with\n              FISMA requirements, OMB policy, and applicable NIST guidelines.\n               Yes\n               Comments: SSA had 11 contractor systems. We tested 4 systems and\n               found one contractor system where SSA did not comply with the Federal\n               requirements for contractor system oversight.\n\n Section 11: SECURITY CAPITAL PLANNING\n\n\n11.a. The Agency has established and maintains a security capital planning and investment\n      program for information security. Although improvement opportunities may have\n      been identified by the OIG, the program includes the following attributes:\n      11.a(1) Documented policies and procedures to address information security in the\n              capital planning and investment control process.\n               Yes\n      11.a(2) Includes information security requirements as part of the capital planning\n              and investment process.\n               Yes\n      11.a(3) Establishes a discrete line item for information security in organizational\n              programming and documentation.\n               Yes\n      11.a(4) Employs a business case/Exhibit 300/Exhibit 53 to record the information\n              security resources required.\n               Yes\n      11.a(5) Ensures that information security resources are available for expenditure as\n              planned.\n               Yes\n\n\n\n\n                                           B-10\n\x0c                                                                                           Appendix C\n\nBackground and Current Security Status\nThe Federal Information Security Management Act of 2002 (FISMA) requires that\nagencies create protective environments for their information systems. It does so by\ncreating a framework for annual information technology security reviews, vulnerability\nreporting, and remediation planning, implementation, evaluation, and documentation. 1\nIn Fiscal Year (FY) 2005, the Social Security Administration (SSA) resolved the long-\nstanding internal controls reportable condition concerning its protection of information. 2\nHowever, during the FY 2009 through 2011 financial statement audits, SSA\xe2\x80\x99s\nmanagement of access to its systems was identified as a significant deficiency. 3 SSA\ncontinues to work with us and Grant Thornton LLP to further improve the security and\nthe protection of information and information systems and resolve other issues\nobserved during prior FISMA reviews.\n\nThis year, the Department of Homeland Security (DHS) prepared the FY 2011 Inspector\nGeneral (IG) Federal Information Security Management Act Reporting metrics, and will\noversee agencies\xe2\x80\x99 compliance with FISMA. DHS will also develop analyses for the\nOffice of Management and Budget (OMB) to assist in the development of the FISMA\nannual report. However, OMB will be responsible for the submission of the annual\nFISMA report to Congress. 4\n\nThe FY 2011 FISMA guidance, DHS Federal Information Security Memorandum 11-02,\nstates that the goal for Federal information security in FY 2011 is to build a defensible\nFederal enterprise that enables agencies to harness technological innovation, while\n\n1\n    Pub. L. 107-347, Title III, Section 301, 44 U.S.C. \xc2\xa7 3544(a)(1), (a)(2), and (b)(1).\n2\n    SSA, FY 2005 Performance and Accountability Report, p. 164.\n3\n  The definition of a significant deficiency for financial statement internal control is provided by the\nStatement on Auditing Standards Number 115 Communicating Internal Control-Related Matters Identified\nin an Audit. This Statement on Auditing Standards states a significant deficiency is a deficiency, or a\ncombination of deficiencies, in internal control that is less severe than a material weakness, yet important\nenough to merit attention by those charged with governance. A material weakness is a deficiency, or\ncombination of deficiencies, in internal control, such that there is a reasonable possibility that a material\nmisstatement of the entity\'s financial statements will not be prevented, or detected and corrected on a\ntimely basis. OMB provides the definition of a significant deficiency under FISMA. DHS FISM 11-02,\nFY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy\nManagement, Frequently Asked Questions section, August 24, 2011, p. 8, defines a significant deficiency\nas a weakness in an agency\xe2\x80\x99s overall information systems security program or management control\nstructure, or within one or more information systems that significantly restricts the capability of the agency\nto carry out its mission or compromises the security of its information, information systems, personnel, or\nother resources, operations, or assets. In this context, the risk is great enough that the agency head and\noutside agencies must be notified and immediate or near-immediate corrective action must be taken.\n4\n OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive\nOffice of the President and the Department of Homeland Security (DHS), July 6, 2010.\n\n\n                                                        C-1\n\x0cprotecting agency information and information systems. 5 To comply with the guidance,\nagencies must carry out the following three activities. 6\n\n1. Monthly Data Feeds. Each month, agencies must load data from their automated\n   security management tools into DHS\xe2\x80\x99 CyberScope tool for a limited number of data\n   elements. The shift from the once-a-year FISMA reporting process to a monthly\n   reporting of key metrics through CyberScope allows security practitioners to make\n   decisions using more information\xe2\x94\x80delivered more quickly than ever before.\n\n2. Information Security Questions. Agencies must answer a set of information security\n   questions in CyberScope. These questions address areas of risk and are designed\n   to assess the implementation of security capabilities and measure their\n   effectiveness.\n\n3. CyberStat Review Sessions and Agency Interviews. Through CyberStat, DHS\n   cybersecurity experts engage with selected agencies to help them develop focused\n   action plans for improving their information security postures. For those agencies\n   not selected for a formal CyberStat review, a team of Government security\n   specialists will conduct interviews focused on specific threats facing each agency as\n   a consequence of its unique mission.\n\nFor FY 2011, IGs must assess their agencies\xe2\x80\x99 performance in 11 major FISMA\nprograms specified by DHS using pre-established key attributes for each program. 7 IGs\nwere also required to determine areas for significant improvement if any agency\nprograms did not have these key attributes.8 See details in Appendix B.\n\nThis report informs Congress and the public about SSA\xe2\x80\x99s information security\nperformance and fulfills OMB\'s requirement under FISMA to submit an annual report to\nCongress. It provides the results of an assessment of SSA\xe2\x80\x99s information technology\nsecurity strengths and weaknesses and a plan of action to improve performance. DHS\nrequires that agencies use CyberScope to submit the annual FISMA report.\n\n\n\n\n5\n    DHS FISM 11-02, supra at p.1.\n6\n    Id. at pp.1-2.\n7\n DHS, FY 2011 Inspector General Federal Information Security Management Act Reporting, Version 1.0,\nJune 1, 2011.\n8\n The DHS-specified attributes for each program and the significant improvement examples are posted on\nDHS\xe2\x80\x99s CyberScope Website. The agency Chief Information Officers and IGs all report through\nCyberScope.\n\n\n\n                                               C-2\n\x0c                                                                                       Appendix D\n\nScope and Methodology\nThe Federal Information Security Management Act of 2002 (FISMA) directs each\nagency\xe2\x80\x99s Office of Inspector General (OIG) to perform, or have an independent external\nauditor perform, an annual independent evaluation of the agency\xe2\x80\x99s information security\nprograms and practices, as well as a review of an appropriate subset of agency\nsystems. 1 We contracted with Grant Thornton LLP (GT) to audit the Social Security\nAdministration\xe2\x80\x99s (SSA) Fiscal Year (FY) 2011 financial statements. Because of the\nextensive internal control system work that is completed as part of that audit, our FISMA\nreview requirements were incorporated into the GT financial statement audit contract.\nThis evaluation included Federal Information System Controls Audit Manual level\nreviews of SSA\xe2\x80\x99s financial related information systems. GT performed an \xe2\x80\x9cagreed-upon\nprocedures\xe2\x80\x9d engagement using FISMA; Department of Homeland Security Federal\nInformation Security Memorandum 11-02, FY 2011 Reporting Instructions for the\nFederal Information Security Management Act and Agency Privacy Management;\nNational Institute of Standards and Technology guidance; Federal Information System\nControls Audit Manual; and other relevant security laws and regulations as a framework\nto complete the OIG-required review of SSA\xe2\x80\x99s information security program and\npractices and its information systems.\n\nThe results of our FISMA evaluation are based on our FY 2011 financial statement audit\nand working papers related to its agreed-upon procedures engagement as well as\nvarious audits and evaluations performed by this office and other entities. We also\nreviewed SSA\xe2\x80\x99s 2011 FISMA Chief Information Officer Section Report.\n\nOur evaluation followed the Department of Homeland Security\xe2\x80\x99s FY 2011 FISMA\nguidance and focused on Risk Management, Configuration Management, Incident\nResponse and Reporting, Security Training, Plans of Action and Milestones, Remote\nAccess Management, Identity and Access Management, Continuous Monitoring\nManagement, Contingency Planning, Contractor Systems, and Security Capital\nPlanning.\n\nWe performed field work at SSA facilities nationwide from March to October 2011. We\nconsidered the results of other OIG audits performed in FY 2011. We conducted this\nperformance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objectives.\n\n\n1\n  Pub. L. No. 107-347, Title III, section 301(b), \xc2\xa7 3545 (a)(1), (a)(2), and (b)(1), 44 U.S.C \xc2\xa7 3545 (a)(1),\n(a)(2), and (b)(1).\n\x0c                                                                                      Appendix E\n\nThe Social Security Administration\xe2\x80\x99s Major Systems\n                                    System                                           Acronym\n                        General Support Systems 1\n    1   Audit Trail System                                                    ATS\n\n    2   Comprehensive Integrity Review Process                                CIRP\n\n    3   Death Alert Control and Update System                                 DACUS\n\n    4   Debt Management System                                                DMS\n        Enterprise Wide Mainframe & Distributed Network\n    5                                                                         EWANS\n        Telecommunications Services System\n    6   FALCON Data Entry System                                              FALCON\n\n    7   Human Resources Management Information System                         HRMIS\n\n    8   Integrated Client Data Base System                                    ICDB\n\n    9   Integrated Disability Management System                               IDMS\n\n10      Quality System                                                        QA\n\n11      Security Management Access Control System                             SMACS\n        Social Security Administration Online Accounting and\n12                                                                            SSOARS\n        Reporting System\n13      Security Unified Measurement System                                   SUMS\n\n                                Major Applications 2\n    1   Electronic Disability                                                 eDib\n    2   Earnings Record Maintenance System                                    ERMS\n\n    3   National Investigative Case Management System                         NICMS\n\n    4   Recovery of Overpayments, Accounting and Reporting System             ROAR\n\n1\n  Office of Management and Budget Circular A-130, Appendix III, Security of Federal Automated\nInformation Resources, Section A.2.c, defines a \xe2\x80\x9cgeneral support system\xe2\x80\x9d or \xe2\x80\x9csystem\xe2\x80\x9d as an interconnected\nset of information resources under the same direct management control which shares common\nfunctionality.\n2\n  Office of Management and Budget Circular A-130, Appendix III, Security of Federal Automated\nInformation Resources, Section A.2.d, defines a \xe2\x80\x9cmajor application\xe2\x80\x9d as an application that requires special\nattention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or\nunauthorized access to or modification of the information in the application.\n\n\n                                                   E-1\n\x0c                            System                                       Acronym\n5   Retirement, Survivors, Disability Insurance Accounting System   RSDI ACCTNG\n\n6   Supplemental Security Income Record Maintenance System          SSIRMS\n\n7   Social Security Number Establishment and Correction System      SSNECS\n8   Title II                                                        T2\n\n\n\n\n                                            E-2\n\x0c                                                                          Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Brian Karpe, Director, Information Technology Audit Division\n   Grace Chi, Acting Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Tina Nevels, Auditor\n   Michael Zimmerman, Auditor\n\nFor additional copies of this report, please visit our Website at http://oig.ssa.gov/ or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Staff Assistant at\n(410) 965-4518. Refer to Common Identification Number A-14-11-01134.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Science, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Governmental Affairs, U.S.\nSenate\nChairman and Ranking Minority Member, Committee on Commerce, Science and\nTransportation, U.S. Senate\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'